hostapd: Make sure hapd->drv_priv gets cleared on driver deinit

Couple of code paths in hostapd.c could have left hapd->drv_priv pointing to memory that was freed in driver_nl80211.c when a secondary BSS interface is removed. This could result in use of freed memory and segfault when the next driver operation (likely during interface deinit/removal). Fix this by clearing hapd->drv_priv when there is reason to believe that the old value is not valid within the driver wrapper anymore. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-31 17:11:04 +03:00 · 2014-05-31 17:11:04 +03:00 · d92bdf9602
parent 438e13339d
commit d92bdf9602
1 changed files with 10 additions and 1 deletions
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@ -284,6 +284,13 @@ static void hostapd_free_hapd_data(struct hostapd_data *hapd)
 				   "Failed to remove BSS interface %s",
 				   hapd->conf->iface);
 			hapd->interface_added = 1;
+		} else {
+			/*
+			 * Since this was a dynamically added interface, the
+			 * driver wrapper may have removed its internal instance
+			 * and hapd->drv_priv is not valid anymore.
+			 */
+			hapd->drv_priv = NULL;
 		}
 	}

@ -1617,8 +1624,10 @@ void hostapd_interface_deinit_free(struct hostapd_iface *iface)
 	hostapd_interface_deinit(iface);
 	wpa_printf(MSG_DEBUG, "%s: driver=%p drv_priv=%p -> hapd_deinit",
 		   __func__, driver, drv_priv);
-	if (driver && driver->hapd_deinit && drv_priv)
+	if (driver && driver->hapd_deinit && drv_priv) {
 		driver->hapd_deinit(drv_priv);
+		iface->bss[0]->drv_priv = NULL;
+	}
 	hostapd_interface_free(iface);
 }